mirrors/uquic
1
0
Fork 0
mirror of https://github.com/refraction-networking/uquic.git synced 2025-04-04 20:57:36 +03:00
Code Issues Projects Releases Packages Wiki Activity

reject invalid active_connection_id_limit transport parameter values (#3687)

Browse source
This commit is contained in:
Marten Seemann 2023-02-01 17:03:19 -08:00 committed by GitHub
parent 89769f409f
commit 3d9380ec3c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 54 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

4
fuzzing/handshake/cmd/corpus.go
View file

@ -78,7 +78,7 @@ func main() {
protocol.ConnectionID{}, protocol.ConnectionID{},
nil, nil,
nil, nil,
&wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
runner, runner,
&tls.Config{ &tls.Config{
ServerName: "localhost", ServerName: "localhost",
@ -102,7 +102,7 @@ func main() {
protocol.ConnectionID{}, protocol.ConnectionID{},
nil, nil,
nil, nil,
&wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
runner, runner,
config, config,
nil, nil,

2
fuzzing/transportparameters/cmd/corpus.go
View file

@ -38,7 +38,7 @@ func main() {
MaxUniStreamNum: protocol.StreamNum(getRandomValue()), MaxUniStreamNum: protocol.StreamNum(getRandomValue()),
MaxBidiStreamNum: protocol.StreamNum(getRandomValue()), MaxBidiStreamNum: protocol.StreamNum(getRandomValue()),
MaxIdleTimeout: time.Duration(getRandomValue()), MaxIdleTimeout: time.Duration(getRandomValue()),
ActiveConnectionIDLimit: getRandomValue(), ActiveConnectionIDLimit: getRandomValue() + 2,
} }
if rand.Int()%2 == 0 { if rand.Int()%2 == 0 {
tp.OriginalDestinationConnectionID = protocol.ParseConnectionID(getRandomData(rand.Intn(21))) tp.OriginalDestinationConnectionID = protocol.ParseConnectionID(getRandomData(rand.Intn(21)))

41
internal/handshake/crypto_setup_test.go
View file

@ -428,7 +428,7 @@ var _ = Describe("Crypto Setup TLS", func() {
_, _, clientErr, _, serverErr := handshakeWithTLSConf( _, _, clientErr, _, serverErr := handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
&utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
false, false,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -440,7 +440,7 @@ var _ = Describe("Crypto Setup TLS", func() {
_, _, clientErr, _, serverErr := handshakeWithTLSConf( _, _, clientErr, _, serverErr := handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
&utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
false, false,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -453,7 +453,7 @@ var _ = Describe("Crypto Setup TLS", func() {
_, _, clientErr, _, serverErr := handshakeWithTLSConf( _, _, clientErr, _, serverErr := handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
&utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
false, false,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -502,7 +502,7 @@ var _ = Describe("Crypto Setup TLS", func() {
It("receives transport parameters", func() { It("receives transport parameters", func() {
var cTransportParametersRcvd, sTransportParametersRcvd *wire.TransportParameters var cTransportParametersRcvd, sTransportParametersRcvd *wire.TransportParameters
cChunkChan, cInitialStream, cHandshakeStream := initStreams() cChunkChan, cInitialStream, cHandshakeStream := initStreams()
cTransportParameters := &wire.TransportParameters{MaxIdleTimeout: 0x42 * time.Second} cTransportParameters := &wire.TransportParameters{ActiveConnectionIDLimit: 2, MaxIdleTimeout: 0x42 * time.Second}
cRunner := NewMockHandshakeRunner(mockCtrl) cRunner := NewMockHandshakeRunner(mockCtrl)
cRunner.EXPECT().OnReceivedParams(gomock.Any()).Do(func(tp *wire.TransportParameters) { sTransportParametersRcvd = tp }) cRunner.EXPECT().OnReceivedParams(gomock.Any()).Do(func(tp *wire.TransportParameters) { sTransportParametersRcvd = tp })
cRunner.EXPECT().OnHandshakeComplete() cRunner.EXPECT().OnHandshakeComplete()
@ -528,8 +528,9 @@ var _ = Describe("Crypto Setup TLS", func() {
sRunner.EXPECT().OnReceivedParams(gomock.Any()).Do(func(tp *wire.TransportParameters) { cTransportParametersRcvd = tp }) sRunner.EXPECT().OnReceivedParams(gomock.Any()).Do(func(tp *wire.TransportParameters) { cTransportParametersRcvd = tp })
sRunner.EXPECT().OnHandshakeComplete() sRunner.EXPECT().OnHandshakeComplete()
sTransportParameters := &wire.TransportParameters{ sTransportParameters := &wire.TransportParameters{
MaxIdleTimeout: 0x1337 * time.Second, MaxIdleTimeout: 0x1337 * time.Second,
StatelessResetToken: &token, StatelessResetToken: &token,
ActiveConnectionIDLimit: 2,
} }
server := NewCryptoSetupServer( server := NewCryptoSetupServer(
sInitialStream, sInitialStream,
@ -571,7 +572,7 @@ var _ = Describe("Crypto Setup TLS", func() {
protocol.ConnectionID{}, protocol.ConnectionID{},
nil, nil,
nil, nil,
&wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
cRunner, cRunner,
clientConf, clientConf,
false, false,
@ -592,7 +593,7 @@ var _ = Describe("Crypto Setup TLS", func() {
protocol.ConnectionID{}, protocol.ConnectionID{},
nil, nil,
nil, nil,
&wire.TransportParameters{StatelessResetToken: &token}, &wire.TransportParameters{ActiveConnectionIDLimit: 2, StatelessResetToken: &token},
sRunner, sRunner,
serverConf, serverConf,
nil, nil,
@ -630,7 +631,7 @@ var _ = Describe("Crypto Setup TLS", func() {
protocol.ConnectionID{}, protocol.ConnectionID{},
nil, nil,
nil, nil,
&wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
cRunner, cRunner,
clientConf, clientConf,
false, false,
@ -651,7 +652,7 @@ var _ = Describe("Crypto Setup TLS", func() {
protocol.ConnectionID{}, protocol.ConnectionID{},
nil, nil,
nil, nil,
&wire.TransportParameters{StatelessResetToken: &token}, &wire.TransportParameters{ActiveConnectionIDLimit: 2, StatelessResetToken: &token},
sRunner, sRunner,
serverConf, serverConf,
nil, nil,
@ -693,7 +694,7 @@ var _ = Describe("Crypto Setup TLS", func() {
clientHelloWrittenChan, client, clientErr, server, serverErr := handshakeWithTLSConf( clientHelloWrittenChan, client, clientErr, server, serverErr := handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
clientOrigRTTStats, &utils.RTTStats{}, clientOrigRTTStats, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
false, false,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -709,7 +710,7 @@ var _ = Describe("Crypto Setup TLS", func() {
clientHelloWrittenChan, client, clientErr, server, serverErr = handshakeWithTLSConf( clientHelloWrittenChan, client, clientErr, server, serverErr = handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
clientRTTStats, &utils.RTTStats{}, clientRTTStats, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
false, false,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -734,7 +735,7 @@ var _ = Describe("Crypto Setup TLS", func() {
_, client, clientErr, server, serverErr := handshakeWithTLSConf( _, client, clientErr, server, serverErr := handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
&utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
false, false,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -748,7 +749,7 @@ var _ = Describe("Crypto Setup TLS", func() {
_, client, clientErr, server, serverErr = handshakeWithTLSConf( _, client, clientErr, server, serverErr = handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
&utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{}, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{}, &wire.TransportParameters{ActiveConnectionIDLimit: 2}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
false, false,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -776,7 +777,8 @@ var _ = Describe("Crypto Setup TLS", func() {
clientHelloWrittenChan, client, clientErr, server, serverErr := handshakeWithTLSConf( clientHelloWrittenChan, client, clientErr, server, serverErr := handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
clientOrigRTTStats, serverOrigRTTStats, clientOrigRTTStats, serverOrigRTTStats,
&wire.TransportParameters{}, &wire.TransportParameters{InitialMaxData: initialMaxData}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
&wire.TransportParameters{ActiveConnectionIDLimit: 2, InitialMaxData: initialMaxData},
true, true,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -795,7 +797,8 @@ var _ = Describe("Crypto Setup TLS", func() {
clientHelloWrittenChan, client, clientErr, server, serverErr = handshakeWithTLSConf( clientHelloWrittenChan, client, clientErr, server, serverErr = handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
clientRTTStats, serverRTTStats, clientRTTStats, serverRTTStats,
&wire.TransportParameters{}, &wire.TransportParameters{InitialMaxData: initialMaxData}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
&wire.TransportParameters{ActiveConnectionIDLimit: 2, InitialMaxData: initialMaxData},
true, true,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -829,7 +832,8 @@ var _ = Describe("Crypto Setup TLS", func() {
clientHelloWrittenChan, client, clientErr, server, serverErr := handshakeWithTLSConf( clientHelloWrittenChan, client, clientErr, server, serverErr := handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
clientOrigRTTStats, &utils.RTTStats{}, clientOrigRTTStats, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{InitialMaxData: initialMaxData}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
&wire.TransportParameters{ActiveConnectionIDLimit: 2, InitialMaxData: initialMaxData},
true, true,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())
@ -847,7 +851,8 @@ var _ = Describe("Crypto Setup TLS", func() {
clientHelloWrittenChan, client, clientErr, server, serverErr = handshakeWithTLSConf( clientHelloWrittenChan, client, clientErr, server, serverErr = handshakeWithTLSConf(
clientConf, serverConf, clientConf, serverConf,
clientRTTStats, &utils.RTTStats{}, clientRTTStats, &utils.RTTStats{},
&wire.TransportParameters{}, &wire.TransportParameters{InitialMaxData: initialMaxData - 1}, &wire.TransportParameters{ActiveConnectionIDLimit: 2},
&wire.TransportParameters{ActiveConnectionIDLimit: 2, InitialMaxData: initialMaxData - 1},
true, true,
) )
Expect(clientErr).ToNot(HaveOccurred()) Expect(clientErr).ToNot(HaveOccurred())

2
internal/handshake/session_ticket_test.go
View file

@ -17,6 +17,7 @@ var _ = Describe("Session Ticket", func() {
Parameters: &wire.TransportParameters{ Parameters: &wire.TransportParameters{
InitialMaxStreamDataBidiLocal: 1, InitialMaxStreamDataBidiLocal: 1,
InitialMaxStreamDataBidiRemote: 2, InitialMaxStreamDataBidiRemote: 2,
ActiveConnectionIDLimit: 10,
}, },
RTT: 1337 * time.Microsecond, RTT: 1337 * time.Microsecond,
} }
@ -24,6 +25,7 @@ var _ = Describe("Session Ticket", func() {
Expect(t.Unmarshal(ticket.Marshal())).To(Succeed()) Expect(t.Unmarshal(ticket.Marshal())).To(Succeed())
Expect(t.Parameters.InitialMaxStreamDataBidiLocal).To(BeEquivalentTo(1)) Expect(t.Parameters.InitialMaxStreamDataBidiLocal).To(BeEquivalentTo(1))
Expect(t.Parameters.InitialMaxStreamDataBidiRemote).To(BeEquivalentTo(2)) Expect(t.Parameters.InitialMaxStreamDataBidiRemote).To(BeEquivalentTo(2))
Expect(t.Parameters.ActiveConnectionIDLimit).To(BeEquivalentTo(10))
Expect(t.RTT).To(Equal(1337 * time.Microsecond)) Expect(t.RTT).To(Equal(1337 * time.Microsecond))
}) })

30
internal/wire/transport_parameter_test.go
View file

@ -100,7 +100,7 @@ var _ = Describe("Transport Parameters", func() {
RetrySourceConnectionID: &rcid, RetrySourceConnectionID: &rcid,
AckDelayExponent: 13, AckDelayExponent: 13,
MaxAckDelay: 42 * time.Millisecond, MaxAckDelay: 42 * time.Millisecond,
ActiveConnectionIDLimit: getRandomValue(), ActiveConnectionIDLimit: 2 + getRandomValueUpTo(math.MaxInt64-2),
MaxDatagramFrameSize: protocol.ByteCount(getRandomValue()), MaxDatagramFrameSize: protocol.ByteCount(getRandomValue()),
} }
data := params.Marshal(protocol.PerspectiveServer) data := params.Marshal(protocol.PerspectiveServer)
@ -127,7 +127,8 @@ var _ = Describe("Transport Parameters", func() {
It("doesn't marshal a retry_source_connection_id, if no Retry was performed", func() { It("doesn't marshal a retry_source_connection_id, if no Retry was performed", func() {
data := (&TransportParameters{ data := (&TransportParameters{
StatelessResetToken: &protocol.StatelessResetToken{}, StatelessResetToken: &protocol.StatelessResetToken{},
ActiveConnectionIDLimit: 2,
}).Marshal(protocol.PerspectiveServer) }).Marshal(protocol.PerspectiveServer)
p := &TransportParameters{} p := &TransportParameters{}
Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed()) Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed())
@ -139,6 +140,7 @@ var _ = Describe("Transport Parameters", func() {
data := (&TransportParameters{ data := (&TransportParameters{
RetrySourceConnectionID: &rcid, RetrySourceConnectionID: &rcid,
StatelessResetToken: &protocol.StatelessResetToken{}, StatelessResetToken: &protocol.StatelessResetToken{},
ActiveConnectionIDLimit: 2,
}).Marshal(protocol.PerspectiveServer) }).Marshal(protocol.PerspectiveServer)
p := &TransportParameters{} p := &TransportParameters{}
Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed()) Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed())
@ -231,6 +233,18 @@ var _ = Describe("Transport Parameters", func() {
Expect(float32(dataLen) / num).To(BeNumerically("~", float32(defaultLen)/num+float32(entryLen), 1)) Expect(float32(dataLen) / num).To(BeNumerically("~", float32(defaultLen)/num+float32(entryLen), 1))
}) })
It("errors when the active_connection_id_limit is too small", func() {
data := (&TransportParameters{
ActiveConnectionIDLimit: 1,
StatelessResetToken: &protocol.StatelessResetToken{},
}).Marshal(protocol.PerspectiveServer)
p := &TransportParameters{}
Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(MatchError(&qerr.TransportError{
ErrorCode: qerr.TransportParameterError,
ErrorMessage: "invalid value for active_connection_id_limit: 1 (minimum 2)",
}))
})
It("errors when the ack_delay_exponenent is too large", func() { It("errors when the ack_delay_exponenent is too large", func() {
data := (&TransportParameters{ data := (&TransportParameters{
AckDelayExponent: 21, AckDelayExponent: 21,
@ -265,8 +279,9 @@ var _ = Describe("Transport Parameters", func() {
It("sets the default value for the ack_delay_exponent, when no value was sent", func() { It("sets the default value for the ack_delay_exponent, when no value was sent", func() {
data := (&TransportParameters{ data := (&TransportParameters{
AckDelayExponent: protocol.DefaultAckDelayExponent, AckDelayExponent: protocol.DefaultAckDelayExponent,
StatelessResetToken: &protocol.StatelessResetToken{}, StatelessResetToken: &protocol.StatelessResetToken{},
ActiveConnectionIDLimit: 2,
}).Marshal(protocol.PerspectiveServer) }).Marshal(protocol.PerspectiveServer)
p := &TransportParameters{} p := &TransportParameters{}
Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed()) Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed())
@ -416,8 +431,9 @@ var _ = Describe("Transport Parameters", func() {
It("marshals and unmarshals", func() { It("marshals and unmarshals", func() {
data := (&TransportParameters{ data := (&TransportParameters{
PreferredAddress: pa, PreferredAddress: pa,
StatelessResetToken: &protocol.StatelessResetToken{}, StatelessResetToken: &protocol.StatelessResetToken{},
ActiveConnectionIDLimit: 2,
}).Marshal(protocol.PerspectiveServer) }).Marshal(protocol.PerspectiveServer)
p := &TransportParameters{} p := &TransportParameters{}
Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed()) Expect(p.Unmarshal(data, protocol.PerspectiveServer)).To(Succeed())
@ -483,7 +499,7 @@ var _ = Describe("Transport Parameters", func() {
InitialMaxData: protocol.ByteCount(getRandomValue()), InitialMaxData: protocol.ByteCount(getRandomValue()),
MaxBidiStreamNum: protocol.StreamNum(getRandomValueUpTo(int64(protocol.MaxStreamCount))), MaxBidiStreamNum: protocol.StreamNum(getRandomValueUpTo(int64(protocol.MaxStreamCount))),
MaxUniStreamNum: protocol.StreamNum(getRandomValueUpTo(int64(protocol.MaxStreamCount))), MaxUniStreamNum: protocol.StreamNum(getRandomValueUpTo(int64(protocol.MaxStreamCount))),
ActiveConnectionIDLimit: getRandomValue(), ActiveConnectionIDLimit: 2 + getRandomValueUpTo(math.MaxInt64-2),
} }
Expect(params.ValidFor0RTT(params)).To(BeTrue()) Expect(params.ValidFor0RTT(params)).To(BeTrue())
b := params.MarshalForSessionTicket(nil) b := params.MarshalForSessionTicket(nil)

3
internal/wire/transport_parameters.go
View file

@ -303,6 +303,9 @@ func (p *TransportParameters) readNumericTransportParameter(
} }
p.MaxAckDelay = time.Duration(val) * time.Millisecond p.MaxAckDelay = time.Duration(val) * time.Millisecond
case activeConnectionIDLimitParameterID: case activeConnectionIDLimitParameterID:
if val < 2 {
return fmt.Errorf("invalid value for active_connection_id_limit: %d (minimum 2)", val)
}
p.ActiveConnectionIDLimit = val p.ActiveConnectionIDLimit = val
case maxDatagramFrameSizeParameterID: case maxDatagramFrameSizeParameterID:
p.MaxDatagramFrameSize = protocol.ByteCount(val) p.MaxDatagramFrameSize = protocol.ByteCount(val)